A switch on a TRILL network has both a Layer 2 forwarding function and a Layer 3 forwarding function, and is generally referred to as a Routing Bridge (RBridge or RB). The TRILL runs on a data link layer, that is, a second layer in an Open System Interconnection (English: OSI) model, and uses link-state routing on the data link layer.
A general manner of defending against a packet attack is Dynamic Host Configuration Protocol snooping (DHCP snooping). A network device executing DHCP snooping presets some physical ports on the network device to be used for transmission of traffic from a network side, and presets some other physical ports to be used for transmission of traffic from a user side. When performing a security check, the network device executing DHCP snooping does not perform a security check on the traffic coming from the network side, but performs a security check on the traffic coming from the user side, and only allows a packet whose Internet Protocol (IP) address comes from a DHCP snooping binding table to pass. The traffic from the network side and the traffic from the user side are transmitted by using different physical ports, but a packet for launching the attack usually comes from the traffic from the user side. Therefore, adoption of this manner of performing a security check on the traffic from the user side can defend against the attack to some extent.
However, a topology structure of the TRILL network may be in a ring shape or a mesh shape. On the TRILL network whose topology structure is in the ring shape or the mesh shape, a physical port on a network device possibly receives not only the traffic from the user side but also the traffic from the network side. In this case, this network device cannot distinguish the traffic from the user side from the traffic from the network side based on the physical port, and therefore cannot effectively defend against the attack.